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This report is the Final Report on the research project "Models and Tech- 
niques for Evaluating the Effectiveness of Aircraft Computing Systems" con- 
ducted for the NASA Langley Research Center under NASA Grant 1306. The sub- 
ject grant was initiated 1 May 1976 for a one year period, extended 1 May 1977 
for a second one year period, extended 1 June 1978 for a third one year period, 
extended 1 July 1979 for a fourth one year period, extended 1 July 1980 for a 
fifth one year period, and extended 1 July 1961 for a sixth one year period. This 
report summarizes work accomplished throughout the period of the grant, that 
is, the period from 1 May 1976 to 30 June 1982, hereafter referred to as the 
grant period. 

The purpose of this research project was to develop models, measures, and 
techniques for evaluating the effectiveness of aircraft computing systems. By 
"effectiveness" in this context we mean the extent to which the user, i.e., a 
commercial air carrier, may expect to benefit from the computational tasks 
accomplished by a computing system in the environment of an advanced com- 
mercial aircraift. Thus, the concept of effectiveness involves aspects of system 
performance, reliability, and worth (value, benefit) which must be appropri- 
ately integrated in the process of evaluating system effectiveness. Specifically, 
the primary objectives of this project are; 

I. The development of system models that can provide a basis for the for- 
mulation and evaluation of aircraft computer system effectiveness, 

II. The formulation of quantitative measures of system effectiveness, and 

III. The development of analytic and simulation techniques for evaluating 
the effectiveness of a proposed or existing aircraft computer. 

During the first year of the project, a decision was made to decouple the 
performance and reliability aspects of effectiveness from the worth aspect, and 
to focus the effort on issues of performance and reliability. As argued when 
this research was originally proposed and as substantiated by research 
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accomplished to date, the issues of performance and reliability must be dealt 
with simultaneously in the process of evaluating the effectiveness of "degrad- 
able" computing systems. The term "performability" was introduced to refer to 
this unification of performanoe and reliability, and performability was identi- 
fied with effectiveness in the statement of objectives I-III. 

Research performed to date has made considerable progress toward the 
accomplishment of these objectives. During the first three years of the project 
[27], [31], [34]-[37] our effort was devoted primarily to the development of 
user-oriented methods wherein performance is represented by a discrete per- 
formance variable (DPV). In the fourth year [23], [24], work on refinements of 
the DPV methodology was accompanied by an initial investigation of design- 
oriented evaluation methods, where we seek closed-form solutions of continu- 
ous performance variables (CPV’s) as well as DPV's. 

In view of this progress and in keeping with future needs expressed by the 
NASA Langley Research Center, research proposed for the fifth year was more 
broadly conceived and had the following overall objective (which includes I-III 
above): 

The development of formal models and methods to 
aid the design and validation of fault-tolerant 
avionic systems. 

During the fifth year [20], [21], investigation of design-oriented evaluation 
methods evolved into a major activity, balanced by a continued effort on refine- 
ments of the DPV methodology. The latter is aimed at taking the existing 
methodology to a point where it can be translated, with relative ease, into a 
programmed evaluation tool suitable for AIRLAB. 

With the understanding that support, under the subject grant, would ter- 
minate after the sixth year (the current fuiiding period), the research proposed 
for this year [38] was a continuation of the previous year’s activity, in an effort 
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to reach a logical stage of completion for the overall project. Activity during 
the first half of this year was described in [16], 

Section 2 of this report reviews the manpower effort proposed for the 
current year and lists the personnel involved in conducting the investigation, 
along with their levels of effort during the last six months of the grant. Section 
3 summarizes the research performed during the grant period. 

2. PERSONNEL 

In the proposal for the current year [36], it was estimated that the follow- 
ing effort would be required. 

Principal Investigator 

60%, July 1981 

100%, August 1981 
20%, September - December 1961 
10%, January - May 1982 

Two Graduate Student Research Assistants 

50%, July - August 1981 

25%, September - December 1981 

Secretary 

25%, twelve months, cale idar year. 

During the six month period from 1 January 1962 to 30 June 1982, person- 
nel and their levels of effort have been as follows. 

Principal Investigator 

John F. Meyer: 20%, January-May 1982 

Secretary 

Virginia Folsom: 25%, January - June 1982 
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3. TECHNICAL STATUS 

The following sections briefly describe the technical status of the research 
conducted during the grant period. The descriptions presented here are 
described in more detail within the appropriate Semi-Annual Status Reports or 
Technical Reports. 

3. 1. Reriew and Aaeeaament of Related Work 

During the first three months of the project, we reviewed and assessed 
related work bearing on the objectives of the project. This work is described 
In [37] and Included an assessment of traditional structure*based reliability 
models in an effort to indicate how such models might be generalized to pro* 
vide a basis for the formulation and evaluation of system effectiveness. 

3.2. system Requirements, Missions, and Tasks 

In order to practically evaluate system effectiveness, it is essential to 
have an understanding of the user's desired object system goals, in conso- 
nance with the requirements, constraints, and interface characteristics of the 
"world" in which it will ultimately operate. Early in the grant, we devoted 
some effort towards delineating system requirements, constraints, etc., asso- 
ciated with the use of aircraft computers by commercial air carriers. Efforts 
in this direction have been initiated by others (see [39], [40], for example) and 
we attempted to build on these existing views as much as possible. The pur- 
pose of this activity was not to obtain a set of system specifications, per se, 
but, instead, to obtain appropriate informal descriptions of system behavior at 
various levels of abstraction. The results of this activity are described in [37]. 

3.3. Development of System Models 

In parallel with our efforts to develop Informal descriptions of system 
behavior (see section 3.2). we initiated during the first year the development 
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of a formal model hierarchy whose levels of abstraction correspond to infor- 
mal descriptions at the mission le.al, functional task level, and computational 
task level. The bottom level of the hierarchy corresponds to low level descrip- 
tions of the computer 's hardwcire and software. 

We seek a model of the total system with a behavior relating directly to 
the user's requirements and a structure accurately describing the probabilis- 
tic nature of the system’s components. This view requires a high, user- 
oriented level with scope comprising the total system (ie., the air carrier) as 
well as a low, structure-oriented bottom level comprising th( object system 
(i.e., the computing system and closely related peripheral equipment). 

In order to relate the performance of the computer hardware (bottom 
level) to the accomplishment of user-oriented missions (top level), intermedi- 
ate levels may also be necessary. Because the bottom level concerns the 
object system, we have found that information from non-object systems (e.g, 
environment, supporting, and related systems) may be more easily introduced 
at these intermediate levels. Using what we call "basic variables." we can 
incorporate each non-object system into the hierarchy based on the level at 
which that information is used. For example, "weather" does not depend on 
any aircraft function and yet it can affect the mission outcome; thus, weather 
may be introduced at the aircraft functional level 

The bottom model, along with the higher level basic variables, are 
referred to collectively as the "base model" of the total system. Formally, the 
connection between the behavior of the base model and that of the top (mis- 
sion) level expressed by a "capability function" y. In general, the interaction 
between various levels of a model hierarchy can be viewed either as part of the 
hierarchy, per se, or as something with is is determined later, in the process 
of using the model to analyze some aspect of system behavior, e g,, its perfor- 
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mability. Either view is legitimate, but the latter appears to be more con- 
venient for the purpose of classifying and discussing these interactions In 
[36] we introduced these concepts and, for the case of a discrete set of accom* 
plishment levels, developed some simple descriptioris of higher level models, 
along with some stochastic models that can serve as bottom level models in 
the hierarchy. In [35] we developed a probability-theoretic basis for the 
modeling framework discussed in [36], [37], This formal representation per- 
mits us to rigorously state various intuitive concepts and assumptions associ- 
ated with models of the total system. It also provides us with a more precise 
foundation for the investigation of model simplification techniques such as 
time "phasing" and state "lumping." Early work on this problem was presented 
at [11]; the formal basis for the modeling framework was published in [9], 
presented at [14]-[l6] and further refined in [26] and [2]. 

3.4. PhaMd Models 

One approach to dealing with a time-varying environment is to decompose 
the system's utilization period into consecutive time periods (usually referred 
to as a decomposition of the system’s "mission" into phases; see [41]-'43j, for 
example). Demands on the system are then allowed to vary from phase to 
phase; within a given phase, however, they are assumed to be time-invariant. 
This permits intraphase behaviors to be evaluated in terms of conventional 
time-homogeneous models, but raises the interesting question of how the 
intraphase results are combined. This is the essential question addressed in 
investigations of "phased mission" reliability evaluation methods (e.g., [^l]‘ 
[43]) where the problem has been constrained as follows. It is assumed, first, 
that a "success criterion" (formulated, say, by a "structure function" see [43] 
for instance) can be established for each phase, where the criterion is 
independent of what occurs during other phases. It is required further that 
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successful performance of the system be identified with success during all 
phases, that Is. the system performs successfully if anr nrJy if, for each phase, 
the corresponding success criterion is satisfied throughout that phase. 

Although the above constraints are reasonable for certain types of sys- 
tems, they exclude systems where successful performance involves ncutrivial 
Interaction among the phases of the mission. In more exact terms, it ha i been 
shown (see [lO], Theorem 6) that such "structure-based" formulations of suc- 
cess are possible if and only if the phases are "functionally independent" in a 
precisely defined manner. What we have done, therefore, is examined the util- 
ity of "phased models" in a less restricted context. 

In addition to removing the above constraints, we have extended the 
domain of application to include evaluations of computing system performabii- 
ity. Finally, unlike the models used in phased mission reliability evaluatian, we 
permit the state sets of the intraphase models to differ from phase to phase. 
Thus, the modeling of a particular phase can be tailored not only to the com- 
putational demands of that phase but also to the relevant properties of the 
total system which influence performance during that phase. We investigated 
phased base models in [7], [30]. 

3.5. Gcnerallcad Phased Models 

In the context of our current discrete performance variable (DPV) metho- 
dology, phased models (see Section 3.4) play a central role in that they permit 
the capability function to be formulated in terms of a discrete-time stochastic 
process X derived from a continuous-time base model X. As defined and inves- 
tigated in [7], [30], a phased base model X is obtained form X by essentially 
sampling the intraphase processes at the ends uf thCir respective phases. 
Such models suffice when there are no cycles in the state-transition-rate 
diagrams of the intraphase processes (see the evaluation of SIFT [3], [6], [33], 
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for example). On the other hand, if there is a non-zero probability of entering 
a previously visited state (c.g , when I'ecovoriiig from g transient TauR or a 
software error), then an end-of-phase sample may no longer reflect the intra- 
phase behavior 

To rectify this deficiency, we have investigated a more general notion of 
phasing wherein the random variable associated with phase A, is a ’summary" 
of the system's behavior during phase k More precisely, the intraphase 
model is regarded as a performability model in its own right, where the perfor- 
mance variable (denoted ^*) is the variable that summarizes the intraphase 
behavior during phase k . Assuming m phases, the set of variables 
X s I'm) then constitutes a discrete-time model on which the formu- 

lation of the capability function is based. 

Study of these generedized phased models involved two principal activi- 
ties, The first concerns formulating capability functions via special types of 
"organizing functions" so as to facilitate the solution of trajectory sets (of the 
process X): see [l7j. The second area concerns how the probabilistic nature 
of X (l.e., the probability distributions of the variables }*) is determined. 
Here we invoke the concept of a functional of a stochastic process (see [44], 
for Instance). To determine the performability of each intraphase performa- 
bility model, we have developed solution techniques involving Markov renewal 
theory and Laplace transform methods. The approach permits us to express 
the solutions in terms of matrix representations which can then be applied to 
the iterative formulas developed to evaluate the performability of the phased 
model. 

This work is documented in [5], [17], [25]. 
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In system analysis, the concept of dependence among subsystems is often 
based on their physical literconnecttons. However, subsystems may also 
depend on one another as tney cooperate in the realization of some specified 
level of system performance. Such dependence is referred to as "functional," 
where dependent objects may be distinguished in time as well as space e.g., a 
subsystem observed at one time may functionally depend on itself (or on some 
other subsystem) observed at another time. The need for a general concept of 
functional dependence arises in the context of performability evaluation. 
Questions about the nature, properties, and use of functional dependence were 
studied and reported upon in [10], [35]-[37] and extended in [34]. 

Classically, when one looks for the dependencies between subsystems, it 
is in the hope that the subsystems under consideration will turn out to be 
independent. In this case, each subsystem can then be studied separately 
However, not all forms of dependency necessarily complicate the analysis. For 
instance, if one knows that subsystem "totally" depends on subsystem Si, 
that is if knowing the state of 5| yields ail the rele^'ant information about S^, 
then one may essentially disregard Sg when analyzing the total system. In 
particular, such simplifications are often made in evaluations of system relia- 
bility. 

In [lO], we considered functional dependence between system coordinates 
where, generally, a given coordinate represents some specified part (subsys* 
tern) of the system observed at some specified point in time. This set {D) of 
system coordinates was assumed to be finite. Dependence was defined relative 
to a "structure set" R where R it a subset of the Cartesian product set deter- 
minb'd by the system coordinates. (Because of the central role of the set R, 
we sometimes refer to functional dependence as "/? -dependence ") In [34], we 
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investigated functlor.al dependence when the index set D ts countably infinite, 

Lsing the basic functional dependence theorems, v. e established the fun- 
damental limitations of reliability modeling that is based on "structure func- 
tions" or, equivalently, their representation by "fault trees." In particular, we 
showed that any phased system model, wherein the capability function can be 
described by a sequence of structure functions (fault-trees), is charactered by 
a total absence of functional dependence among the phases (where the depen- 
dence is relative to the set of all state trajectories corre.<>ponding to system 
"success"). One of the features of performability modeling, on the oiher hand. 
Is its ability to accommodate interphase dependencies. 

3.7. Hierairehical Modeling of Air TrenspMl Uissifma 

Several prototype air transport models were examined in the course of 
the grant period. These models are described in detail in [3], [6], [8], [34]- 
[37]. Many of these models are comprehensive examples and illustrate some 
of the concepts discussed in the previous sections. We also initiated an ambi- 
tious modeling project of the FTMP computer [45], [46]; see [20], [21], [23], 
[24]. 

3.8. Evaluation Algorithms and Programs 

Concurrent with the development of performability models, concepts, 
measures, and measure form.dations, we also initiated the development of 
evaluation algorithms [20], [21j, [23], [24], [34], [35]. As an implr^mentation of 
these algorithms, we also began development of prototype tools for the pur- 
pose of investigating design i eues. These tools were incorporated into the 
software package cUled METAPHOR (Michigan Svah'ation iiid for PerpHOR' 
mabiUty. [29], [32]. Since its inception, METAPHOR has progressed through 
several implementations, llie earliest version took as input the base model 
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trajectory sets for each accomplishment level and information about the pro- 
babilistic nature of the base model, from this data, METAPHOR calculated the 
system's performability. However, obtaining the 'oase model trajectories is 
generally difficult and so the later versions automated to a great extent this 
portion of the modeling. 

The algorithms in which we were particularly interested are those for cal- 
culating the base model trajectory set associated with an accomplishment 
level a. The goal here was to automate those tasks which are mechanical, 
laborious, and error-prone. These tasks include; 

(1) Calculating the inverse image 7 i~ 4 -‘i(a) i.e., the set of all base model 
state trajectories at level i+1 that correspond to an accomplishment 
level a, given the inverse image 

(2) Finding a minimal representation (in terms of the number of array 
products; see [35], p. 96) of trajectory sets, 

(3) Checking that all trajectories have been included for each "coordi- 
nate inverse" of the interlevel translation and if some of those 
trajectories have not been so included, determining which have been 
excluded, and 

(4) Allowing input of non-mutually exclusive trajectory sets. 

During the reporting period, work was completed on the implementation 
of an algorithm for items (3) and (4). An algorithm for item (1) was designed 
and partially implemented: METAPHOR can now evaluate our earlier examples 
(e.g., the somewhat complex example of [35]) with no difficvilty, and can 
proceed to a significant depth (to the last level) with the evaluation of the SIFT 
example [34]. Regarding item (2). criteria of representation efficiency, other 
than the number of array products, were investigated. Because we are dealing 
with computational algorithms, "efficiency” relates to both 

1) the amount of space required to represent the functions, and 

2) the amount of time fecuired to determine the representations of those 

functions. 
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We investigated some of the space and time tradeoffs for computing 7 ”* [20], 

3.0. Closed-form Models and Solutions 

Our work on the derivation of closed-form performability solutions was 
motivated by design considerations and, specifically, by the need to support 
design-oriented validation. Efforts dealing with each of these needs have been 
pursued during the reporting period, with the emphasis placed on design- 
oriented validations. 

If a nerformability evaluation indicates that a system design is valid, i.e., 
the system satisfies its performability specification, then the evaluation has 
served its purpose (This is not to say that this phase of the validation process 
is complete; other validation methods, both formal and informal, must be 
invoked so as to establish greater confidence in the design’s validity.) If, on 
the other hand, the results of a performability eveduation disclose that a 
design is deficient, the performability data need not be indicative of just how 
the design should be modified. This is due to the fact that lower level, design- 
oriented dete ' arr often suppressed by a user-oriented performance vari- 
able. Hence early validation (during the design process) at lower system and 
subsystem levels is required if negative results are to indicate how the design 
should be modified. In the latter validation context, and more generally, in 
the context of "design aids," performability models and solutions can likewise 
play an important role. To support the investigation of various design trade- 
offs, we investigated various methods which yield parametric performability 
solutions, expressed in terms of various system and environmental parame- 
ters. 

Generally, the difficulties encountered in parametric evaluation 2 u*e due 
to the fact that performability must be formulated directly in terms of perfor- 
mance levels, thereby restricting the mathematical nature of the capability 


miM 


PAGE 

OF POOR QUAL’.TY 


13 


function. To compensate for these restrictions, one seeks methods for 
representing underlying variations (at the base model level) in a form that 
matches constraints imposed by the capability function. Another strategy, 
which can be applied simultaneously, is to relax these restrictions via innova- 
tive decompositions of the capability function and the solution procedure. 

We began our investigations by studying a degradable dual-processor mth 
an input buffer (queue) for the temporary storage of computational tasks that 
arrive randomly at the input. To solve this system, we extended the kind of 
Markovian queueing models that are currently employed to evaluate the per- 
formance of a (fault-free) computer (see [47], [48], for example). When so 
extended, these models are able to represent variations in structure, due to 
faults, as well ais variations in internal state and environment. In solving the 
performability, our strategy is to lump states of the base model so that, within 
a lump, the model exhibits a steady-state behavior (to a close approximation). 
This permits decomposition of the solution into an equilibrium (steady-state) 
part and a transient part. The equilibrium part employs techniques that typi- 
cally are used in solving queueing models: the transient part is more difficult 
and calls for innovative extensions of Known techniques. Here, through a 
hierarchical decomposition of the capability function and an appropriate par- 
titioning of the accomplishrr®nt set, we are able to obtain the desired solution. 
Our initial work is described in [26]. 

We further extended these results to the modeling of a degradable 
buffer /multi-processor system with N processors. In the context of this gen- 
eralized example, we were forced to develop a more systematic solution pro- 
cedure (for the transient part of the solution) that could be feasibly applied to 
a system with more than two processors. Various solution approaches were 
considered, including a recursive formulation patterned after a formulation 
proposed by Howard (see [49], p.861) for determining the "expected value" of 
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a similar type of performance variable. What we seek, however, is the com- 
plete probability di.itribution function of Y (not just its expected value EiY]) 
and. when so formulated, we were unable to find a feasible means of solving 
the equations. (Even in the case of expected values, the Howard formulation 
does not appear to yield a practical means of solution.) The solution pro- 
cedure we finally adopted was a natural extension of that used in the two pro- 
cessor case discussed in [26]. The results of this effort were presented at [13] 
and were documented in [l], [4], [22]. 

The algorithm that we developed delineates in broad terms the basic 
method for arriving at solutions. We have further investigated suggest specific 
techniques for actuedly carr 3 ring out the prescribed steps. In particular, the 
regions of integration Cy = 7 f‘(F) (see [22], p. 22) must be characterized. 
Thus, the computational example presented in [4] was derived in a relatively 
ad hoc manner; effectively, the solution was based on a graphical argument. 
Such an approach becomes more difficult when the number of servers is three 
and becomes intractable when the number of servers grows to four or more. 
In [20], we presented an integral solution for the class of systems having the 
single state trajectory (m.m-l 0). The crux of the solution is the char- 

acterization of the regions Cy. We have also solved examples where the under- 
lying operational model is riot Markov, v’or instance, we have examined sys- 
tems where failure rates are dependent on the history of the system; see [18]. 

3.10. Stochastic Modeling Parallel Systems 

This work was motivated by our concern with modeling complex 
integrated systems such as avionic systems where, due to additional complex- 
ity (as compared, say, with an aircraft computer^, representation must take 
place at higher (less detailed) levels of abstraction. When represented at such 
levels, a system will typically exhibit a greater amount of parallelism and/or 
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nondeterminacy. Paralleliaim and nondeterminacy are important properties of 
complex systems which have been studied in a variety of contexts. There is a 
lack, however, of universal definitions which clearly distinguish these notions; 
in most cases, they are either intermixed or viewed as the same One reason 
is that most existing models of parallel systems (e g. Petri nets [50]). fail to 
distinguish nondeterminism due to parallelism from ncndeterminism due to 
uncertainty in the consequences of eui action (we refer to the latter as ’'non- 
determinacy’’), In Keller’s concept of a "named transition system" [5l], non- 
determinacy can be distinguished in certain cases (i.e.. when two or more 
transitions from the same state have the same name), but not in all cases. 

To remedy this deficiency, our work has included formulation of a class of 
general models, called dynamic transitwn systems (DTS's), wherein parallel- 
ism and nondeterminacy can be clearly distinguished; see [18]. DTS’s 
represent system state-behavior at the same level of abstraction as Keller’s 
named transition systems, but are more general in that the "enabling" of tran- 
sitions is no longer tied to the transition relation. (In a named transition sys- 
tem, a transition t is "enabled" in state q if and only if there is a state transi- 
tion from q named t .) Instead, we allow the set of enabled transitions to be 
one of a specified set of alternatives, thereby introducing a source of non- 
determinacy that has useful interpretations and is easily distinguished from 
parallelism. Moreover, this same distinction can be captured in lower level 
(more detailed) network models, e.g., a class of models called dynamic P-nets 
(DPN’s) which constitute an an 2 dogous generalization of (ordinary) Petri nets; 
see [18]. 

Our principal objective in defining DTS’s and DPN’s was to provide a more 
suitable point of departure for formulating stochastic versions oi these 
models. Accordingly, our concept of a stochastic transition system (STS) is 
defined as the stochastic extension of a DTS: likewise, a stochastic Pmet (SPN) 
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is the stochastic extension of a DPN. 

The modeling power of STS's and SPN's is quite extensive and includes, for 
example, all systems that can be modeled by Markovian queueing models. The 
latter, however, are restricted in their ability to represent various forms of 
parallelism and nondeterminacy. Different models have been proposed to 
overcome these deficiencies [52]-[59] but. with the exception of [59] these 
models appear to have limited applicability. On the other hand, the type of 
stochastic Petri nets proposed by Natkin [59] are better suited to our needs 
and provided a stimulus for our current research. There remained, however, 
the problem of distinguishing parallelism from nondeterminacy, since the 
models of [59] eu*e stochastic extensions of (ordinary) Petri nets. This precip- 
itated the development described above and, specifically, led to formulation of 
stochastic P-nets (SPN’s). By their construction. SPN’s are more general than 
Natkin’s stochastic Petri nets (hence our use of the name P-net). Moreover, 
this added generality is indeed very useful in the context of performability 
evaluation. 

Concerning the modeling power of STS’s, we have obtained some interest- 
ing results which include the following. For the case when the processing 
periods of the processes (transitions) are exponentially distributed, and there 
are certain independence properties in the processing periods of different 
processes (transitions) and in the behavior of nondeterminacy in the system, 
it turns out that the state behavior of the system cart be modeled as a time- 
homogeneous semi-Markov process. We have also obtained a closed-form solu- 
tion for the corresponding semi-Markov kernel. This result is especially 
.important because this stochastic process can be used directly as a base 
model for performability evaluation. Another result is related to the priority 
and interactions among the processes (transitions) of the system. We have 
found that the Markovian property of the state behavior is independent of a 
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rich class of the priority types and interactions among the processes (transi- 
tions) of the system. This constitutes a generalization of related results in 
queueing theory. Results from this research were presented at [12]. 

3. 1 1 . Bibliography on Formal II ethods 

D'uring the reporting period, we conducted a search of recent literature 
concerning formal methods for system specification, design and validation. 
The aim of this search was to classify current literature on formal methods 
that might be meaningfully exploited in the specification, design, and valida- 
tion of avionic systems (where validation includes verification, testing and 
evaluation). The specific literature searched includes journal papers, confer- 
ence papers, and technical reports published during the five years from 1977 
to 1981. The articles are classified according to five topic areas: specification, 
design, verification, testing and evaluation. Because the survey was completed 
in September 1981, no citations appearing after that date are included in the 
resulting bibliography [19]. 

4. FUBUCATIONS 

4.1. Journal Articles 

[1] J. F. Meyer. "Closed-form solutions of performability," IEEE Transac- 
tions on Computers, July 1982, pp. 648-657. 

[2] J. F. Meyer, "On evaluating the performability of degradable computing 
systems", IEEE Transactions on Computers, August 1980, pp. 720-731. 

[3] J. F. Meyer, D. G. Furchtgott, and L. T. Wu, "Performability evaluation of 
the SIFT computer", IEEE Transactions on Computers, June 1980, pp. 
501-509. 

4.2. Conference Papers 


IM 


4wS. OwfanBC* Papara 


ORIGINAL PAGE IS 

OF POOR QUALITY 


IB 


[4] J. F, Meyer. "Closed-form solutions of performability," in Proc. 1981 Inti 
Symposium on Fault-Tolerant Computing, Portland. ME, June 1981. pp 
66-71. 

[5] J, F. Meyer and L. T. Wu, "Evaluation of computing systems using func- 
tionals of a Markov process ', Proc. 14th. Hawaii Int'l Conf. on System 
Sciences, Honolulu. HI. Jan. ISBI, pp 74-33. 

[8] J. F. Meyer, D. G. Furchtgott, L. T. Wu, in "Performability evaluation of 
the SIFT computer", in Proc. 197S Int'l Symp. on Fault-Tolerant Com- 
puting, Madison. WI, pp. 43-50, June 1979. 

[7] J. F. Meyer and L. T. Wu, "Phased models for evaluating the performabil- 
ity of computing systems,' in Proc. 1979. Conference on Information 
Scierwes and Systems, The John Hopkins Univ., Baltimore. Maryland, 
March, 1979. 

[B] J. F. Meyer and D. G. Furchtgott. "Performability evaluation of fault- 
tolerant multiprocessors," In Digest of 1978 Government Microcircuit 
Applications Conference , Monterey, California, November 1978, pp. 362- 
335. 

[9] J. F. Meyer, "On evaluating the performability of degradable computing 
systems," in Proc. Bth International Symposium on Faxdt-Tolerant Com- 
puting, 'Toulouse, France. June 1978. 

[10] J. F. Meyer and R. A. Ballance, "Functional dependence and its applica- 
tion to system evaluation," in Proc. 1978 Conference on Information 
Sciences and Systems, The Johns Hopkins University, Baltimore. MD. 
March 1978. 

[11] J. F. Meyer, "A model hierarchy for evaluating the effectiveness of com- 
puting systems," in Proceedings 3rd National Reliability Symposium, 
Perros-Guirec, France, September 1976, pp. 539-555. 


4.3. Papers Presented (Not PublishecQ 

[12] J. F. Meyer, "Performance-reliability evaluation of parallel systems", 
presented at the IEEE Computer Society Workshop on the Reliability of 
Local Area Networks, South Padre Island. TX. Feb. 1982. 

[13] J. F. Meyer. "Closed form solutions of performability." presented at the 
Workshop on the Validation of Fault-Tolerant Computers and Systems 
(IEEE), Luray, VA, Sept. 1960. 

[14] J. F. Meyer, "Unified performance-reliability evaluation of degradable 
computing systems," presented at the IFIP Working Conference on Reli- 
able Computing and Fault-Tolerance, London, England. Sept. 1979. 


104 


4.S. HmFirmetM 0*b 4 PaHtAail) 


19 


or: 

OF 


PAGE IS 

pioR QUALITY 


[15] J, F, Meyer. "Evaluating the unexpected," presented at the Workshop on 
Designing for the Unexpected (IEEE). SL. Thomas, Virgin Islands, 
December, 1978. 


[16] J. F, Meyer, "Modeling concepts for unifying performance and reliability 
evaluation," presented at the Symposium on Modelling and Simulation 
Methodology, Rehovot, Israel, August 1978. 


4.4. Technical Reports 

[17] L. T. Wu, "Models for evaluating the performability of degradable com- 
puting systems," Systems Engineering Laboratory Technical Report No. 
169 The University of Michigan. Ann Arbor, June 1982. 

[10] J. F. Meyer, D. G. Furchtgott, and A. Movaghar, "Models and techniques 
for evaluating the effectiveness of aircraft computing systems," Sys- 
tems Engineering Laboratory Technical Report No. 184, The University 
of Michigan, Ann Arbor, January 1 962. 

[19] J, F. Meyer, D. G. Furchtgott, and A. Movaghar "A bibliography on formal 
methods for system specification, design, and validation," Systems 
Engineering Laboratory Technical Report No. 183, The University of 
Michigan, Ann Arbor, January 1962. 

[20] J. F. Meyer, D. G. Furchtgott, and A. Movaghar. "Models and techniques 
for evaluating the effectiveness of aircraft computing systems," Sys- 
tems Engineering Laboratory Technical Report No. 155, The University 
of Michigan. Ann Arbor. July 1981. 

[21] J. F. Meyer. D. G. Furchtgott. A. Movaghar. and L. T. Wu. "Models and 
techniques for evaluating the effectiveness of aircraft computing sys- 
tems." Systems Engineering Laboratory Technical Report No, 148, The 
University of Michigan. Ann Arbor. January 1981. 

[22] J. F. Meyer. "Closed-form solutions of performability," Systems 
Engineering Laboratory Technical Report No. 147, The University of 
Michigan. Ann Arbor, January 1901. 

[23] J. F. Meyer, D. G. Furchtgott. and L. T. Wu. "Models and techniques for 
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Engineering Laboratory Technical Report No. 145, The University of 
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[24] J. F. Meyer, D. G. Furchtgott, and L. T. Wu, "Models and techniques for 
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[25] J. F. Meyer and L. T. Wu, "Evaluation of computing systems using func- 
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